TLS: fix heuristics to match a TCP segment with just a TLS record header

The TLS stream of IBM WebSphere doesn't get detected since the TLS record is sent in two packets: First the five bytes of the TLS record header, then the TLS record data. Bug: 16085 Change-Id: Ide8758dc7f6a14e4a5aeb01abc7fcaa42374f675 Reviewed-on: https://code.wireshark.org/review/34634 Petri-Dish: Peter Wu <peter@lekensteyn.nl> Tested-by: Petri Dish Buildbot Reviewed-by: Peter Wu <peter@lekensteyn.nl>
author: Edwin Groothuis <wireshark@mavetju.org> 2019-09-28 01:13:31 +1000
committer: Peter Wu <peter@lekensteyn.nl> 2019-10-02 22:32:51 +0000
commit: 79c8b446b67d71c6e61a2de934769228c5ace0db (patch)
tree: 55ff324eec7af9ae642f6a87c16b00f3bcc51f56
parent: b5d6c9922b8ce3446f9584692a7032adeed1db15 (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/epan/dissectors/packet-tls.c b/epan/dissectors/packet-tls.c
index 20d719dd2b..a4047bd6b5 100644
--- a/epan/dissectors/packet-tls.c
+++ b/epan/dissectors/packet-tls.c
@@ -867,10 +867,13 @@ is_sslv3_or_tls(tvbuff_t *tvb)
     guint16             protocol_version, record_length;
 
     /*
-     * Heuristics should match a non-empty TLS record:
-     * ContentType (1), ProtocolVersion (2), Length (2), fragment (...)
+     * Heuristics should match the TLS record header.
+     * ContentType (1), ProtocolVersion (2), Length (2)
+     *
+     * We do not check for an actual payload, IBM WebSphere is known
+     * to separate the record header and payload over two separate packets.
      */
-    if (tvb_captured_length(tvb) < 6) {
+    if (tvb_captured_length(tvb) < 5) {
         return FALSE;
     }
author	Edwin Groothuis <wireshark@mavetju.org>	2019-09-28 01:13:31 +1000
committer	Peter Wu <peter@lekensteyn.nl>	2019-10-02 22:32:51 +0000
commit	79c8b446b67d71c6e61a2de934769228c5ace0db (patch)
tree	55ff324eec7af9ae642f6a87c16b00f3bcc51f56
parent	b5d6c9922b8ce3446f9584692a7032adeed1db15 (diff)